Wireless Access

Is there a user-role specific way to accomplish this same level of blocking?

What I am trying to accomplish is this:

 

I have an Open Guest network that returns the role guest.
I would like to put another set of devices that cannot user 802.1x on the guest network, but the devices need to be able to communicate with eachother. 

Right now I have deny inter user traffic enabled on the VAP. My thought is I need to remove that option, and move it to the guest user role. 

The only solution I've come up with is an ACL, which is not ideal since I can't do an ACL that says user user any deny, since it wants source/destination to be different. So I would need to create ACLs specific to sites.

You maybe make a acl like...

Src: User
Dest: 10.0.0.0 / 255.0.0.0
Dest: 172.16.0.0 / 255.240.0.0
Dest: 192.168.0.0 / 255.255.0.0
Deny

Or create a guest ssid with deny inter user traffic and a second ssid “contractor” where you allow that.

I think that you should limit traffic to the role you are assigned to using the bandwidth option in your role.

Hi Eugene,

 

Won't the following acl's help ?

 

any <gateway ip> any permit

any <guest network> any deny

any any any permit

Yes this would work, and is what I meant by ACL specific to sites. 

 

I was hoping there was an option I missed that was an easy checkmark in the user-role!


Thanks!